orcus | 4ffffb110dcd98919963c86d3670c78010e72543f300df09a3e609b7d4a925e7

Analysis

max time kernel
147s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-10-2024 18:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

infected.exe
Size

4.1MB
MD5

35c57757e99caab8b45bf7564321bf37
SHA1

fb9fb3464ab80d5de580a008144d75db80f78cd0
SHA256

4ffffb110dcd98919963c86d3670c78010e72543f300df09a3e609b7d4a925e7
SHA512

239d2ddd2dc7e9796888671e2b1c04f9818af77ff13f067dc89095dbd4a67dec1d598ee9d1f6835bfa41fafb00b2c8c4c40226b0c1cca00937c912a7ff08b8b5
SSDEEP

49152:b4lEncGp+7N+IsAgixvGIl6xNwYzVIGVqdUF4Zm5Ck+W1ClobS5oeEGwWxG/nRFS:b4lEnBp+psixvGqap3Id2Qmj6q2AGZ

Score

10^/10

orcus discovery rat spyware stealer

Malware Config

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus
Orcus family
orcus

Orcus main payload 1 IoCs

resource	yara_rule
behavioral1/files/0x001c00000002aa9e-14.dat	family_orcus

Orcurs Rat Executable 2 IoCs

resource	yara_rule
behavioral1/memory/2956-1-0x0000000000280000-0x00000000006A2000-memory.dmp	orcus
behavioral1/files/0x001c00000002aa9e-14.dat	orcus

Executes dropped EXE 4 IoCs

pid	Process
2660	basegeo.exe
3628	basegeo.exe
2892	basegeo.exe
4704	basegeo.exe

Loads dropped DLL 18 IoCs

pid	Process
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	infected.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	basegeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	basegeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	basegeo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	basegeo.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	basegeo.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	basegeo.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2956	infected.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe
2660	basegeo.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	infected.exe
Token: SeDebugPrivilege	2660	basegeo.exe
Token: SeBackupPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe
Token: SeSecurityPrivilege	2660	basegeo.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2956 wrote to memory of 2660	2956	infected.exe	77
PID 2956 wrote to memory of 2660	2956	infected.exe	77
PID 2956 wrote to memory of 2660	2956	infected.exe	77
PID 2660 wrote to memory of 3472	2660	basegeo.exe	79
PID 2660 wrote to memory of 3472	2660	basegeo.exe	79
PID 2660 wrote to memory of 3472	2660	basegeo.exe	79
PID 2660 wrote to memory of 3576	2660	basegeo.exe	80
PID 2660 wrote to memory of 3576	2660	basegeo.exe	80
PID 2660 wrote to memory of 3576	2660	basegeo.exe	80
PID 2660 wrote to memory of 3584	2660	basegeo.exe	81
PID 2660 wrote to memory of 3584	2660	basegeo.exe	81
PID 2660 wrote to memory of 3584	2660	basegeo.exe	81
PID 2660 wrote to memory of 4460	2660	basegeo.exe	82
PID 2660 wrote to memory of 4460	2660	basegeo.exe	82
PID 2660 wrote to memory of 4460	2660	basegeo.exe	82
PID 2660 wrote to memory of 424	2660	basegeo.exe	83
PID 2660 wrote to memory of 424	2660	basegeo.exe	83
PID 2660 wrote to memory of 424	2660	basegeo.exe	83
PID 2660 wrote to memory of 3488	2660	basegeo.exe	84
PID 2660 wrote to memory of 3488	2660	basegeo.exe	84
PID 2660 wrote to memory of 3488	2660	basegeo.exe	84
PID 2660 wrote to memory of 2904	2660	basegeo.exe	85
PID 2660 wrote to memory of 2904	2660	basegeo.exe	85
PID 2660 wrote to memory of 2904	2660	basegeo.exe	85
PID 2660 wrote to memory of 1476	2660	basegeo.exe	86
PID 2660 wrote to memory of 1476	2660	basegeo.exe	86
PID 2660 wrote to memory of 1476	2660	basegeo.exe	86
PID 2660 wrote to memory of 1064	2660	basegeo.exe	87
PID 2660 wrote to memory of 1064	2660	basegeo.exe	87
PID 2660 wrote to memory of 1064	2660	basegeo.exe	87
PID 2660 wrote to memory of 3416	2660	basegeo.exe	88
PID 2660 wrote to memory of 3416	2660	basegeo.exe	88
PID 2660 wrote to memory of 3416	2660	basegeo.exe	88
PID 2660 wrote to memory of 1976	2660	basegeo.exe	89
PID 2660 wrote to memory of 1976	2660	basegeo.exe	89
PID 2660 wrote to memory of 1976	2660	basegeo.exe	89
PID 2660 wrote to memory of 4468	2660	basegeo.exe	90
PID 2660 wrote to memory of 4468	2660	basegeo.exe	90
PID 2660 wrote to memory of 4468	2660	basegeo.exe	90
PID 2660 wrote to memory of 2400	2660	basegeo.exe	91
PID 2660 wrote to memory of 2400	2660	basegeo.exe	91
PID 2660 wrote to memory of 2400	2660	basegeo.exe	91
PID 2660 wrote to memory of 2912	2660	basegeo.exe	92
PID 2660 wrote to memory of 2912	2660	basegeo.exe	92
PID 2660 wrote to memory of 2912	2660	basegeo.exe	92
PID 2660 wrote to memory of 3100	2660	basegeo.exe	93
PID 2660 wrote to memory of 3100	2660	basegeo.exe	93
PID 2660 wrote to memory of 3100	2660	basegeo.exe	93
PID 2660 wrote to memory of 3064	2660	basegeo.exe	94
PID 2660 wrote to memory of 3064	2660	basegeo.exe	94
PID 2660 wrote to memory of 3064	2660	basegeo.exe	94
PID 2660 wrote to memory of 3716	2660	basegeo.exe	95
PID 2660 wrote to memory of 3716	2660	basegeo.exe	95
PID 2660 wrote to memory of 3716	2660	basegeo.exe	95
PID 2660 wrote to memory of 3712	2660	basegeo.exe	96
PID 2660 wrote to memory of 3712	2660	basegeo.exe	96
PID 2660 wrote to memory of 3712	2660	basegeo.exe	96
PID 2660 wrote to memory of 3312	2660	basegeo.exe	97
PID 2660 wrote to memory of 3312	2660	basegeo.exe	97
PID 2660 wrote to memory of 3312	2660	basegeo.exe	97
PID 2660 wrote to memory of 3220	2660	basegeo.exe	98
PID 2660 wrote to memory of 3220	2660	basegeo.exe	98
PID 2660 wrote to memory of 3220	2660	basegeo.exe	98
PID 2660 wrote to memory of 3164	2660	basegeo.exe	99

C:\Users\Admin\AppData\Local\Temp\infected.exe
"C:\Users\Admin\AppData\Local\Temp\infected.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956
- C:\Users\Admin\AppData\Roaming\longpollvideo\basegeo.exe
  "C:\Users\Admin\AppData\Roaming\longpollvideo\basegeo.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:3472
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:3576
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:3584
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:4460
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:424
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:3488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:2904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:1476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:1064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:3416
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:1976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:4468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:2400
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:2912
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:3100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:3064
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:3716
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:3712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:3312
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:3220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:3164
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:3788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:2228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:2804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regasm.exe"
    3⤵
    PID:1120
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:1604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:2576
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:2816
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:3092
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:1832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:668
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:904
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:3964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:1220
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\caspol.exe"
    3⤵
    PID:1188
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:3124
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:2500
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:1428
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:3504
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\msbuild.exe"
    3⤵
    PID:848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:3940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:4624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:3604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:1280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:1708
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:4856
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:5016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:2032
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\installutil.exe"
    3⤵
    PID:3644

C:\Users\Admin\AppData\Roaming\longpollvideo\basegeo.exe
C:\Users\Admin\AppData\Roaming\longpollvideo\basegeo.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3628

C:\Users\Admin\AppData\Roaming\longpollvideo\basegeo.exe
C:\Users\Admin\AppData\Roaming\longpollvideo\basegeo.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2892

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:2968

C:\Users\Admin\AppData\Roaming\longpollvideo\basegeo.exe
C:\Users\Admin\AppData\Roaming\longpollvideo\basegeo.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\basegeo.exe.log

Filesize
1KB

MD5
23095077e59941121be408de05f8843b

SHA1
6a85a4fb6a47e96b4c65f8849647ff486273b513

SHA256
49cc85a6bad5faf998eae8f1156e4a3cdd0273ff30a7828f5545689eb22e3fe5

SHA512
05644cd4aa2128e4c40993e4033ae3102705ee27c157d8376180c81e58b61c2801ca8deed6a256c79bc409e40f9ab5c66e2b2492f6c60871fb575eb6cce73211

Download Submit
C:\Users\Admin\AppData\Roaming\longpollvideo\basegeo.exe

Filesize
4.1MB

MD5
35c57757e99caab8b45bf7564321bf37

SHA1
fb9fb3464ab80d5de580a008144d75db80f78cd0

SHA256
4ffffb110dcd98919963c86d3670c78010e72543f300df09a3e609b7d4a925e7

SHA512
239d2ddd2dc7e9796888671e2b1c04f9818af77ff13f067dc89095dbd4a67dec1d598ee9d1f6835bfa41fafb00b2c8c4c40226b0c1cca00937c912a7ff08b8b5

Download Submit
C:\Users\Admin\AppData\Roaming\longpollvideo\basegeo.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
C:\Users\Admin\AppData\Roaming\longpollvideo\lib_sudo_g6tss5ba16q4skdq0um5z18witqv6ub4\AForge.Video.DirectShow.dll

Filesize
60KB

MD5
17ed442e8485ac3f7dc5b3c089654a61

SHA1
d3a17c1fdd6d54951141053f88bf8238dea0b937

SHA256
666d44798d94eafa1ed21af79e9bc0293ffd96f863ab5d87f78bcee9ef9ffd6b

SHA512
9118bf11760354e9971ae8b27f7f6a405e46145b39ca6e6b413cb2e729e51304b895965e9140f66c9e3ef7caa4f344762bf059688b23dd32e4c2df271394fea2

Download Submit
C:\Users\Admin\AppData\Roaming\longpollvideo\lib_sudo_g6tss5ba16q4skdq0um5z18witqv6ub4\AForge.Video.dll

Filesize
20KB

MD5
0bd34aa29c7ea4181900797395a6da78

SHA1
ddffdcef29daddc36ca7d8ae2c8e01c1c8bb23a8

SHA256
bafa6ed04ca2782270074127a0498dde022c2a9f4096c6bb2b8e3c08bb3d404d

SHA512
a3734660c0aba1c2b27ab55f9e578371b56c82754a3b7cfd01e68c88967c8dada8d202260220831f1d1039a5a35bd1a67624398e689702481ac056d1c1ddcdb0

Download Submit
C:\Users\Admin\AppData\Roaming\longpollvideo\lib_sudo_g6tss5ba16q4skdq0um5z18witqv6ub4\CSCore.dll

Filesize
519KB

MD5
94a312a6fcec0e78808bcea3d8ff67f5

SHA1
fe760487d13f9a6f5f359036561105d4aca88a1f

SHA256
e835139171eb0d63b6b4e02b0997cac040c02d295648a275d4c8d28b234c8e94

SHA512
ecdedeee1ee4e35e4fbd2dea3a4dd8b0805166a9610a63affbfb673f2644588eacecba6b3a5a0052c202ab14c321800997512abc318d36a50b00cc86dc83ec1c

Download Submit
C:\Users\Admin\AppData\Roaming\longpollvideo\lib_sudo_g6tss5ba16q4skdq0um5z18witqv6ub4\DirectoryInfoEx.dll

Filesize
224KB

MD5
314955d214bb02847e7f8607a16ec550

SHA1
c471e2948d0cd1d4a11902a134735f00cd78c0c1

SHA256
82fd40348eb630313d5032910d021ebd982fdde086fbe73ba8947a6d2cb40357

SHA512
0ea2457db279159c1983455eee50a69305a151c012b9948950d038c101efc08a00da1f456a76a4351770684783c2e01a536ea194bb7f586865865d90d6dbb8de

Download Submit
C:\Users\Admin\AppData\Roaming\longpollvideo\lib_sudo_g6tss5ba16q4skdq0um5z18witqv6ub4\ICSharpCode.SharpZipLib.dll

Filesize
196KB

MD5
c8164876b6f66616d68387443621510c

SHA1
7a9df9c25d49690b6a3c451607d311a866b131f4

SHA256
40b3d590f95191f3e33e5d00e534fa40f823d9b1bb2a9afe05f139c4e0a3af8d

SHA512
44a6accc70c312a16d0e533d3287e380997c5e5d610dbeaa14b2dbb5567f2c41253b895c9817ecd96c85d286795bbe6ab35fd2352fddd9d191669a2fb0774bc4

Download Submit
C:\Users\Admin\AppData\Roaming\longpollvideo\lib_sudo_g6tss5ba16q4skdq0um5z18witqv6ub4\OpusWrapper.dll

Filesize
843KB

MD5
82d81db56da138efee7fdd49fd3c5494

SHA1
fde6142f6d910d56843f22f182976ba3318b32a9

SHA256
c9cabcd5fd7af81c2929eb8599ed13e6d3f679874bca3c7b112c516bd35c29fa

SHA512
086aaabfc0a8bd4bed05550e67bf9cd4f5e01f1edf00e707c8caeef5ea3d4f10d55d1a5ab1b88e2ff40269c9fb3c28192f31bd467b0128ab6ba7718d3912f511

Download Submit
C:\Users\Admin\AppData\Roaming\longpollvideo\lib_sudo_g6tss5ba16q4skdq0um5z18witqv6ub4\ShellLibrary.dll

Filesize
64KB

MD5
20aa983bd64aa1f8a37d9e61961eabec

SHA1
48dfd92883f6b60252ab01e57f8de75d21edf173

SHA256
ace8dc565164e7612ed3f964a5d16bdcdda0aac7185ba3639b3b7c6064ca1124

SHA512
27560fc2983cde678bc3367563c05452004db9dc2523e30ed43ecc413e1ead0eb5d77152f17bd17c58dfe48b2ff7c1c413b6b4da483a664bab3167e74dc3486d

Download Submit
memory/2660-45-0x0000000008570000-0x0000000008732000-memory.dmp

Filesize
1.8MB

Download
memory/2660-44-0x0000000008290000-0x000000000839A000-memory.dmp

Filesize
1.0MB

Download
memory/2660-24-0x0000000074CF0000-0x00000000754A1000-memory.dmp

Filesize
7.7MB

Download
memory/2660-26-0x0000000074CF0000-0x00000000754A1000-memory.dmp

Filesize
7.7MB

Download
memory/2660-27-0x00000000071F0000-0x000000000723E000-memory.dmp

Filesize
312KB

Download
memory/2660-29-0x00000000080E0000-0x000000000817C000-memory.dmp

Filesize
624KB

Download
memory/2660-216-0x0000000001A20000-0x0000000001A36000-memory.dmp

Filesize
88KB

Download
memory/2660-32-0x0000000005DA0000-0x0000000005DB8000-memory.dmp

Filesize
96KB

Download
memory/2660-33-0x0000000005DD0000-0x0000000005DE0000-memory.dmp

Filesize
64KB

Download
memory/2660-34-0x00000000063A0000-0x00000000063AA000-memory.dmp

Filesize
40KB

Download
memory/2660-209-0x00000000019F0000-0x00000000019FC000-memory.dmp

Filesize
48KB

Download
memory/2660-37-0x0000000006980000-0x00000000069E6000-memory.dmp

Filesize
408KB

Download
memory/2660-170-0x0000000008F60000-0x0000000008F6E000-memory.dmp

Filesize
56KB

Download
memory/2660-41-0x0000000006A70000-0x0000000006A82000-memory.dmp

Filesize
72KB

Download
memory/2660-40-0x00000000087A0000-0x0000000008DB8000-memory.dmp

Filesize
6.1MB

Download
memory/2660-42-0x0000000006C80000-0x0000000006CBC000-memory.dmp

Filesize
240KB

Download
memory/2660-43-0x0000000006CC0000-0x0000000006D0C000-memory.dmp

Filesize
304KB

Download
memory/2660-96-0x0000000040000000-0x00000000404C4000-memory.dmp

Filesize
4.8MB

Download
memory/2660-167-0x0000000009F90000-0x0000000009F9E000-memory.dmp

Filesize
56KB

Download
memory/2660-46-0x0000000008240000-0x000000000824E000-memory.dmp

Filesize
56KB

Download
memory/2660-47-0x0000000008F10000-0x0000000008F60000-memory.dmp

Filesize
320KB

Download
memory/2660-48-0x0000000074CF0000-0x00000000754A1000-memory.dmp

Filesize
7.7MB

Download
memory/2660-49-0x0000000074CF0000-0x00000000754A1000-memory.dmp

Filesize
7.7MB

Download
memory/2660-165-0x000000000A770000-0x000000000A81A000-memory.dmp

Filesize
680KB

Download
memory/2660-54-0x0000000008FF0000-0x0000000009076000-memory.dmp

Filesize
536KB

Download
memory/2660-161-0x0000000009F90000-0x0000000009F9E000-memory.dmp

Filesize
56KB

Download
memory/2660-62-0x0000000009160000-0x000000000923A000-memory.dmp

Filesize
872KB

Download
memory/2660-65-0x0000000009970000-0x0000000009E9C000-memory.dmp

Filesize
5.2MB

Download
memory/2660-70-0x0000000005D40000-0x0000000005D7E000-memory.dmp

Filesize
248KB

Download
memory/2660-113-0x0000000040000000-0x0000000040A99000-memory.dmp

Filesize
10.6MB

Download
memory/2660-109-0x0000000040000000-0x00000000400F6000-memory.dmp

Filesize
984KB

Download
memory/2660-77-0x0000000008060000-0x0000000008076000-memory.dmp

Filesize
88KB

Download
memory/2660-102-0x0000000040000000-0x0000000040007000-memory.dmp

Filesize
28KB

Download
memory/2660-84-0x0000000008FA0000-0x0000000008FD4000-memory.dmp

Filesize
208KB

Download
memory/2660-89-0x0000000040000000-0x000000004043E000-memory.dmp

Filesize
4.2MB

Download
memory/2956-9-0x0000000006D10000-0x0000000006D22000-memory.dmp

Filesize
72KB

Download
memory/2956-4-0x00000000029E0000-0x00000000029EE000-memory.dmp

Filesize
56KB

Download
memory/2956-5-0x00000000029F0000-0x0000000002A4C000-memory.dmp

Filesize
368KB

Download
memory/2956-6-0x0000000006DD0000-0x0000000007376000-memory.dmp

Filesize
5.6MB

Download
memory/2956-3-0x00000000063B0000-0x0000000006660000-memory.dmp

Filesize
2.7MB

Download
memory/2956-7-0x0000000006920000-0x00000000069B2000-memory.dmp

Filesize
584KB

Download
memory/2956-25-0x0000000074CF0000-0x00000000754A1000-memory.dmp

Filesize
7.7MB

Download
memory/2956-0-0x0000000074CFE000-0x0000000074CFF000-memory.dmp

Filesize
4KB

Download
memory/2956-2-0x0000000074CF0000-0x00000000754A1000-memory.dmp

Filesize
7.7MB

Download
memory/2956-1-0x0000000000280000-0x00000000006A2000-memory.dmp

Filesize
4.1MB

Download
memory/3628-39-0x0000000074CF0000-0x00000000754A1000-memory.dmp

Filesize
7.7MB

Download
memory/3628-31-0x0000000074CF0000-0x00000000754A1000-memory.dmp

Filesize
7.7MB

Download
memory/3628-30-0x0000000074CF0000-0x00000000754A1000-memory.dmp

Filesize
7.7MB

Download